Data protection: myths and reality of DLP

Myths existed always: based on imagination, on impossibility to explain something, or just owing to long ago outdated information. Modern myths, of course, strongly differ from ancient, but the reasons of emergence in them identical. And the modern mythology is not only various city legends and horror stories by which frighten disobedient children for the night, myths appear in absolutely different areas and the sphere of data protection – not an exception.

Staff of analytical center Falcongaze decided to collect the most popular myths from the DLP area which specialists of the company in the practice at communication with potential customers of a system for SecureTower data protection faced. Except collecting of DLP folklore, analysts of the company decided to undertake a role of destroyers of legends, having discredited thereby many slander which is said occasionally the DLP systems.

DLP systems cost much and do not pay for itself

This myth was successfully created at the beginning of development of the DLP sphere, however since then a lot of things changed. Perhaps, DLP this and not cheapest pleasure, however in modern realities exist solutions with flexible pricing policy and quite democratic cost in this segment.

Also, often from buyers it is necessary to hear that no leak can be compared at the price to the DLP solution. And though to count the cost of leaks not easy, nevertheless, statistically, the notebook lost, or stolen from the top manager (on which the data on key clients given about transactions or financial information can be stored) costs an average of $46,000. However now it is already not enough to solutions for data protection to be limited only to protection against leaks: the modern DLP systems should contain the tools capable to solve the whole complex of problems in the field of both information, and economic safety of the company. Besides, as practice shows, correctly configured DLP system, pays off for the first two-three months of use, and even for the test stage.

Why to pay for DLP?

What does the company pay for, purchasing a DLP system? The first that comes to mind and is the correct answer — for reduction of risk of leak of confidential information on different information channels. In this case understand all modern channels using which the staff of the company communicates with the world around as them: e-mail, Skype, instant messaging systems, external information media …^[1]

It is quite obvious that than more data transmission channels a DLP system is able to cover, especially the protection against date leaks performed with its help will be effective. However, it is only iceberg top. Also the analytical component responsible for detection of confidential data in the intercepted traffic is not less important. As a matter of fact these two factors on which the efficiency of a DLP system depends influence its cost. In general the DLP system can cover more channels of potential date leak and the more methods she suggests to recognize confidential documents, the more expensive it will be. However, as well as in any other market, high cost not always means high quality.

Actually a DLP system always has two prices: price of vendor and price of integrator. From them the first is the cost of the 'naked' components of a system needing further setup and operational development 'to mind'. The second — the price of all additional actions after installation of the solution, necessary that 'enter' it in your organization.

Price of vendor

In many respects producers of DLP systems estimate the products randomly though in them, certainly, actual costs which they incurs are put. However much more the price depends on a business model which was chosen for itself by vendor.

The first option — acquisition of service in a subscription. Enough often such method of sale of the products is practiced by suppliers of solutions SaaS, the anti-virus companies and some other software makers. Actually the company can just acquire the right to use a DLP system during the certain time frame (from several months to several years) upon termination of which it loses all protection of the data against leaks. Quite often similar method of sale of solutions is disguised under implementation of technical support — at such scenario the cost of initial acquisition of a DLP system is rather small value.

In the second case technical support — it is valid an opportunity to address vendor in case of any emergency situations, a DLP system in itself will perfectly work also without it. It is quite clear that at such business model the cost of a DLP system is much higher, but expenses on its operation will be much less, than in the first option. Sometimes the producer allows to buy a possibility of the address to technical support directly at the moment when in it there is a need, but not to pay for it continuously during any term.

In other operating costs it is worth writing the cost of additional software (for example, the database server) which is required to a DLP system for a full-fledged work. However, as in most the companies there is already industrial DBMS, it is necessary to be spent by not all.

DLP system cost at vendor for the average sizes of the company (from 100 to 500 workstations) averages from two to twenty thousand rubles on one workstation.

Price of integrator

Integrator — the company which is engaged in delivery and software implementation to the specific organizations. It is quite clear that existence of an additional link between vendor and the organization consumer only increases DLP system cost for the last, however it is necessary to notice that in some cases work of integrator is really necessary for the final acquirer of a product.

In many regions the vendor simply has no representations which would be engaged in sales and support of solutions. In such cases clients from these regions have the only opportunity integrators which often work with several vendors and thanks to it can propose the solution, optimal for the customer. Though the integrator, of course, will be interested in advancing that solution which will bring it more money. Besides, many organizations — as a rule, public institutions — essentially do not work with vendors directly.

However, you should not think that integrator a beret to 'excess' value added in vain. Specialists of the company integrator are able to book preliminary audit of an enterprise information system, the person interested to purchase DLP, to customize a system after its installation (at least to load necessary dictionaries, to check working capacity, etc.), and sometimes offer also more complex services, including development of the concept of information security of the organization. Though usually with it address to the specialized consulting companies.

On average the integrator increases DLP system cost for the organization purchasing it by 30 — 40% in comparison with the price of vendor. Therefore if there is an opportunity, it is better to purchase such solution directly at vendor.

The price of a DLP system depends on a set of factors and can fluctuate from 'floor' to 'ceiling' which in this case are defined only by imagination of vendor and integrator. Therefore it is not necessary to be surprised if to you 'counted' twice more, than to your business partners — it is possible, will be 'count' more simply and more conveniently at other integrator.

DLP systems are necessary only to the big organizations

Initially DLP solutions intended only for the large companies, with a large number of workstations. But now most vendors agree that the market of medium and small business is extremely perspective, however the few from developers are capable to propose the solution which will meet requirements and specifics of this market.

Nevertheless, for today there were qualitative solutions which are equally effectively working both in the sector of large enterprises, and in the companies which number of employees is not calculated by four-digit digits.

Implementation, service of DLP requires many people and time

Many customers even do not think of installation of a DLP system as they consider that service of such product takes away too much time and requires big staff of specialists. Also the majority is sure that installation of the DLP solution will automatically cause big purchase costs of the expensive equipment, and system implementation for data protection will be very long and will inevitably lead to a stop of business processes in the organization.

Anyway, implementation of a qualitative system will not affect at all the existing infrastructure of network and the more so will not interrupt workflows in the company. Usually commissioning of a qualitative DLP system seldom takes more than four-five hours. Naturally, all this becomes possible only if the customer made a right choice for benefit of the qualitative, stable and failsafe DLP solution.

All DLP are complex in mastering and use

The great number of customers is sure that it is too difficult and inconvenient to configure and use a DLP system because of a large number of components and difficult parameters.

However not all systems for information security support imply the inconvenient and bulky interface which even with long-term experience it is not always possible to experienced specialist to understand. The DLP developers who are really caring for the customers always think not only of efficiency of the provided product, but also and of that their child had so simple interface that its use did not cause difficulties even in unexperienced employees. Qualitative products are obliged to have the single console from which control of all system is exercised. To make work with DLP products simpler, the most effective solutions already contain the preset safety rules and their edited templates which allow to use a system from the moment of its start.

The choice of a DLP system is serious case, and the customer should be guided not only the councils obtained from the Internet, from vendors or the acquaintances, but also first of all to rely on own impressions of a product which can be received during testing of different solutions.

Unfortunately, occasionally it happens so that, without having understood, based on some councils, the customer selects a DLP system which completely disappoints him. After one negative experience many are ready "give up as a bad job" all other DLP systems and it promotes emergence and rooting of myths. Alas, such situation – not a rarity. Nevertheless, before speaking final "it is not necessary", once you try something else, and already then to decide that in the field of DLP is the myth and that – no.

The majority of internal information leaks happen purposely

This myth is one of the most widespread. In most the companies there is a certain percent of malefactors, however it is low. As a rule, employees do not want to do harm to the employer.

The only hitch consists that if the company does not inform the employees on corporate ethics in the field of security, then they can just not know that they do to the organization harm.

Often employees put at risk information, important for their company, for the sake of own convenience. As an example, many often unload the valuable corporate data on cloud services for convenience of work from the house.

Finally, most of employees doing harm to the company, do it inadvertently. The personnel of the organization do not intend to do something illegally, he just does not know that he thus causes a loss to the employer.

Staff of the organization can only be insiders

The checked fact that the staff of the company is not the only source of internal threat of information leak.

The organizations, as a rule, can work with a long chain of the companies from the outside. In most cases, they communicate using cloud services of the organization. The confusion who and where should have access results.

Incident, for example, can arise if the organization has no opportunity to somehow keep track of behavior of the employee during the work with outsourcers or in a work progress in cloud applicaions. Thus it is just impossible to learn whether the organization saves the confidential information or not. Any organization should secure itself against such situation.

Protection against insiders in the virtualized cloud environment differs in nothing from measures of protection of systems in the environment of physical

On the one hand virtualization, perhaps, facilitated life of system administrators for support of infrastructure of IT technology, but on the other hand it became simpler to insiders to steal information. Centrality and compactness of the virtualized systems facilitate to the malefactor a problem of gaining access to information.

It is simpler to insiders to attack the virtualized environment than physical as having got access to its infrastructure, they guarantee themselves access to all systems.

It is important to control attentively distribution of access rights of employees during the work in the virtualized environment. In most cases administrators of such systems are allocated with the powers sufficient for theft of confidential information, configuration change or removal of the necessary information.

Information can be protected by means of the simplest information security systems

Whether insiders independently not so essentially steal information, or manage helpers, clearly one that easy ways of access control and internetwork protection are not capable to secure data against unauthorized access completely.

Insufficient degree of security or the malware help malefactors to get into information systems of the organization. They use any holes in: FTP, corporate e-mail, files or protocols. One chink in the system of protection suffices to open an information system for well organized team of criminals.

There are several technology methods reliably to protect information from insiders. For example the enciphering turning information into a useless symbol set for the insider or use of the reliable management systems of access control applying technologies of strict multifactor authentication.

Control of employees always reduces risks of information leak

Control of employees of the organization can be hardly considered as a panacea from threat of insiders. The organizations practice the different systems for control of the employees, however at incorrect setup they are useless.

For example, Most the organizations have the wrong system of preserving log of files owing to what they cannot reveal the occurred incident and when it occurs, they cannot identify the violator as can be configured on tracking of statistics of a short period.

Summarizing this article, it is very important to emphasize that the companies should be vigilant when case concerns protection of the crucial, classified information against actions of insiders. Crucially not only to adhere to the above-stated recommendations, but also to implement modern preventive technologies for reduction of risk of the insider.

Notes